Security is not just for merchants and card users to take care of; central government at both the national and European level as well as the payments industry should step up and take responsibility too.
A 2011 report by Trustwave showed 90% of incidents where card data is compromised occur in level 4 merchant environments, typically small to medium sized businesses. Large organisations are better educated, funded and resourced so are increasingly harder for criminals to target, although not immune as demonstrated by high profile data breaches.
It is smaller merchants that are being targeted and the payments industry needs to be helping these vulnerable merchants now. Regularly speaking to retailers has enabled me to get a better understanding of the traumas that PCI compliance causes them. At a recent Association of Convenience Store (ACS) conference one retailer told me that the prospect of not being compliant, suffering a breach, and the potential reputational damage that would follow causes him sleepless nights. The possibility that word-of-mouth between customers that their data wasn’t secure with him would be crippling to his reputation – even now without a legal obligation to report it.
Others are overwhelmed by the complexities of achieving compliance. Another retailer recently asked me about a letter he had received from his bank informing him that he wasn’t PCI compliant and should he not rectify this he would be penalised – they had no idea of the full implications of PCI compliance, how important it is and the severe financial impact to their business, should they suffer a data breach. The reality is they are not alone, far too many businesses take far too few steps towards adequately securing their payment and non-payment systems.
A key problem facing the payments security industry in Europe is the lack of publicity when compared to other countries such as the USA.
One of the key differences is the relationship between merchants, banks, government and the requirements imposed upon merchants and payment service providers to publicise such breaches. In the United States, California was the first state to legislate for publicising data breaches in 2003, an example now replicated by 38 of the 50 states. This is encouraging but the differences in legislation globally makes the process fragmented – legislation for breach announcements as a deterrent should be universal as fraud is global and fraud rings see no boundaries. This fragmentation when reporting breaches globally presents a false perception of where the problems are occurring.
In the rest of the world breaches can be brushed under the carpet…
Currently in the UK and Europe there is no legal requirement for the greater majority of businesses to declare breaches; that does not mean they don’t happen. According to UK Fraud Statistics in 2010 more than 417.5 million Euros in UK card fraud-well over a million Euros per day – was detected.
The problem the industry faces currently is the lack of understanding of smaller retailers of the need to increase security.
The new European Data Protection Regulation due in 2014 will give the card schemes additional back up to enforce the fines which are presently seen as hollow threats; this is a step in the right direction but there needs to be another message alongside it.
It needs to be clear that best practice security measures for the payments environment is good business and will go a long way to protecting a business holistically. It shouldn’t be treated as a task where a merchant does as much as they are obliged and no more. Too many merchants are unaware of their obligations to PCI DSS or demonstrate apathy towards the risk they are susceptible to by not adhering to these measures.
Merchants found in breach of PCI can be fined £1000s per card breached – it takes minutes to steal thousands of card details electronically; the ramifications for a small business can be crippling. This is not necessarily the fault of the small merchants who were not the initial focus for the PCI council following the inception in 2004 of the Payments Card Industry Data Security Standards (PCI DSS).
As Jeremy King European Director of the PCI Council stated in a recent roundtable “We’ve started off with the big retailers and we’ve gone down to the next level and now we’re getting down to the smaller merchants. The brands don’t differentiate between the big and small merchants when there’s a data breach, they just come in and hit you. For smaller merchants it’s end of game.”
Merchants think that there isn’t a problem in the UK as they never hear about it – this couldn’t be further from the truth. Fraudsters are now targeting small, local, independent businesses and the PCI council, banks, acquirers and security vendors have a duty to educate and provide cost effective quality solutions to these smaller merchants to equip them in the fight to maintain security and ultimately their business.
The Verizon 2012 Data Breach Investigations Report found that 96% of the breach victims investigated were not PCI DSS compliant when they were last assessed. Perhaps this is because compliance measures are complicated for the average retailer, especially the technical network specifications referred to in self-assessment questionnaires.
This is something which Phoenix as a security vendor is tackling head on by investing heavily and embarking upon extensive research and development to get the right product to help protect smaller merchants. Phoenix is reaching out to smaller merchants via trade bodies such as the Retail Motor Industry (RMI) and the Association of Convenience Stores (ACS), educating them on payment security and correcting some of the misconceptions surrounding internet security and PCI compliance.
Phoenix is doing this not just because it helps the business, but because after a collective 200 years + experience of our management team in payments we can see that something needs to be done. More people are transferring to IP for their payments needs, and with this cyber criminals have ever more opportunity to strike, and are targeting smaller retailers now. We believe the industry should be doing the right thing by the smaller retailer so they are better protected.
Security can’t be achieved through regulation and enforcement alone, it needs to be adopted as a culture in business with all parties including banks, acquirers or merchants adopting a collaborative approach to help themselves and their customers. Only once this is achieved will we be in a position to be truly secure.